Security Operations Fundamentals > [T2]: Lab - Microsoft Sentinel SIEM - How to investigate an incident
How to investigate an incident
Note: This
lesson cannot be applied in the provided Azure environment
due to Azure Data Retention period of 90 days. However, the
lesson is still valuable for teaching you the methodology
and the steps taken to investigate an incident in a
SIEM.
To investigate the incident (click on
Incidents), select the one from the
screenshot below, change Unassigned to your
account, change the Status to Active,
and click on "View full details".
Figure - zoom in
The incident pane will give you more insights and details
about the incident.
Figure - zoom in
Click on investigate. You will explore a connected graph
that represents the incident details:
Figure - zoom in
You will notice that Windows 10 is under brute force attack
by two suspicious IP addresses (Entities).
As an analyst, one of your tasks is to analyze these
suspicious entities. Copy this IP address
80.66.76.145 and analyze it with VirusTotal.
You will notice that the information security community has
already flagged the IP address as malicious.
Figure - zoom in
Figure - zoom in
If you use another online analysis service, such as Open Threat
Exchange (OTX), you will notice that the IP address
is flagged as malicious by many sources.
Figure - zoom in
Analysts will document the performed activities in the
comment section.
Figure - zoom in
The final step is to close the incident.
The analyst will change the status to
Closed, select the incident classification
and close the incident.
Figure - zoom in
Additional Resources: